└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # redteam/maldev links
  2 | Massive thanks to @janoglezcampos for fixing my trash formatting and categorizing it. Now it wont give you eye cancer.
  3 | I sometimes put stuff on [my blog](https://codex-7.gitbook.io/). Existing research I read and find useful will be put here.
  4 | 
  5 | # Smartscreen and MOTW
  6 | - [What is it that makes a Microsoft executable a Microsoft executable?](https://posts.specterops.io/what-is-it-that-makes-a-microsoft-executable-a-microsoft-executable-b43ac612195e)
  7 | - [The Case of the Missing Digital Signatures Tab](https://blog.didierstevens.com/2008/01/11/the-case-of-the-missing-digital-signatures-tab/)
  8 | - [Defender SmartScreen Deep Dive 02](https://emsroute.com/2022/12/14/defender-smartscreen-deep-dive-02/)
  9 | 
 10 | # Hooking/unhooking
 11 | * [Lets Create An EDR… And Bypass It! Part 1: How EDRs inject DLLs to hook processes](https://ethicalchaos.dev/2020/05/27/lets-create-an-edr-and-bypass-it-part-1/)
 12 | * [Lets Create An EDR… And Bypass It! Part 2: Preventing the hook from loading into our process by preventing the DLL load](https://ethicalchaos.dev/2020/06/14/lets-create-an-edr-and-bypass-it-part-2/)
 13 | * [Userland DLL hooks C# code sample - SharpUnhooker](https://github.com/GetRektBoy724/SharpUnhooker)
 14 | * [Evading userland DLL hooks in C# using D/Invoke - D-Pwn](https://github.com/FatCyclone/D-Pwn)
 15 | * [Adventures in Dynamic Evasion; unhooking](https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa)
 16 | * [Kernel callbacks](http://www.nynaeve.net/?p=200)
 17 | * [Process instrumentation callbacks](https://winternl.com/detecting-manual-syscalls-from-user-mode/)
 18 | * [Hooking via exceptions](https://medium.com/@fsx30/vectored-exception-handling-hooking-via-forced-exception-f888754549c6)
 19 | * [Evading EDR Detection with Reentrancy Abuse](https://www.deepinstinct.com/blog/evading-antivirus-detection-with-inline-hooks)
 20 | * [Unhooking Sentinel1](https://twitter.com/ninjaparanoid/status/1493396083644399616?s=21)
 21 | * [Emulating Covert Operations - Dynamic Invocation (Avoiding PInvoke & API Hooks)](https://thewover.github.io/Dynamic-Invoke/)
 22 | * [Halo's Gate: Dynamically resolving syscalls based on unhooked syscalls](https://blog.sektor7.net/#!res/2021/halosgate.md)
 23 | * [Shellcode detection using realtime kernel monitoring](https://www.countercraftsec.com/blog/post/shellcode-detection-using-realtime-kernel-monitoring/)
 24 | * [EDR tampering](https://www.infosec.tirol/how-to-tamper-the-edr/)
 25 | * [Offensive API Hooking](https://ilankalendarov.github.io/posts/offensive-hooking/)
 26 | 
 27 | # AMSI/ETW/ETW-TI
 28 | * [Proxying DLL Loads for hiding ETW-TI call stack tracing](https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/)
 29 | * [Evading ETW-TI call stack tracing using custom call stacks](https://0xdarkvortex.dev/hiding-in-plainsight/)
 30 | * [Attacks on ETW Blind EDR Sensors](https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf)
 31 | * [Detecting Adversarial Tradecrafts Tools by leveraging ETW](https://github.com/RedTeamOperations/Detecting-Adversarial-Tradecrafts-Tools-by-leveraging-ETW)
 32 | * [Data Only Attack: Neutralizing EtwTi Provider](https://public.cnotools.studio/bring-your-own-vulnerable-kernel-driver-byovkd/exploits/data-only-attack-neutralizing-etwti-provider)
 33 | 
 34 | # Sleep obfuscation/masking
 35 | * [Stack Spoofing](https://github.com/countercept/CallStackSpoofer)
 36 | * [SleepyCrypt: Encrypting a running  PE  image while it sleeps](https://www.solomonsklash.io/SleepyCrypt-shellcode-to-encrypt-a-running-image.html)
 37 | * [Sleeping with a Mask On (Cobalt Strike)](https://adamsvoboda.net/sleeping-with-a-mask-on-cobaltstrike/)
 38 | * [GPUSleep](https://github.com/oXis/GPUSleep)
 39 | * [SilentMoonWalk - a thread stack spoofer](https://github.com/klezVirus/SilentMoonwalk)
 40 | * [CallStackMasker](https://github.com/Cobalt-Strike/CallStackMasker)
 41 | * [Advanced module stoping using AceLdr](https://dtsec.us/2023-11-04-ModuleStompin/)
 42 | 
 43 | 
 44 | # Rootkits
 45 | * [Bootlicker - UEFI rootkit](https://github.com/realoriginal/bootlicker)
 46 | * [Niddhogg - kernel driver rootkit](https://github.com/Idov31/Nidhogg)
 47 |   
 48 | # VBA
 49 | * [VBA: resolving exports in runtime without NtQueryInformationProcess or GetProcAddress](https://adepts.of0x.cc/vba-exports-runtime/)
 50 | # Direct syscalls
 51 | * [SysWhispers is dead, long live SysWhispers!](https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/)
 52 | * [Combining Direct System Calls and sRDI to bypass AV/EDR](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/)
 53 | * [Implementing Syscalls in Cobalt Strike Part 1 - Battling Imports and Dependencies](https://blog.xenoscr.net/2022/03/12/Implementing-Syscalls-in-Cobalt-Strike-Part-1-Battling-Imports-and-Dependencies.html)
 54 | * [When You sysWhisper Loud Enough for AV to Hear You](https://captmeelo.com//redteam/maldev/2021/11/18/av-evasion-syswhisper.html)
 55 | 
 56 | 
 57 | # Process injection
 58 | * [Process injection sample codes](https://github.com/RedTeamOperations/Advanced-Process-Injection-Workshop)
 59 | * [KnownDLLs injection](https://www.codeproject.com/Articles/325603/Injection-into-a-Process-Using-KnownDlls)
 60 | * [Abusing Windows’ Implementation of Fork() for Stealthy Memory Operations](https://billdemirkapi.me/abusing-windows-implementation-of-fork-for-stealthy-memory-operations/)
 61 | * [Object Overloading](https://www.trustedsec.com/blog/object-overloading/)
 62 | * [HintInject](https://github.com/frkngksl/HintInject)
 63 | * [APC techniques](https://github.com/repnz/apc-research)
 64 | * [Unicode Reflection - Event Null Byte Injection](https://www.hawk.io/blog/unicode-reflection-event-null-byte-injection)
 65 | * [Alternative Process Injection](https://www.netero1010-securitylab.com/evasion/alternative-process-injection)
 66 | * [Weaponizing mapping injection](https://splintercod3.blogspot.com/p/weaponizing-mapping-injection-with.html)
 67 | * [Advanced-Process-Injection-Workshop by CyberWarFare Labs](https://github.com/RedTeamOperations/Advanced-Process-Injection-Workshop)
 68 | * [Threadless inject](https://github.com/CCob/ThreadlessInject)
 69 | * [Function hijacking](https://klezvirus.github.io/RedTeaming/AV_Evasion/FromInjectionToHijacking/)
 70 | * [Mockingjay (Reusing existing RWX memory) techniques](https://whiteknightlabs.com/2023/07/06/mockingjay-memory-allocation-primitive/)
 71 | 
 72 | 
 73 | 
 74 | ## General evasion/Execution techs
 75 | * [Operational challenges in offensive C - SpectreOps](https://posts.specterops.io/operational-challenges-in-offensive-c-355bd232a200)
 76 | * [WORKSHOP // A journey into malicious code tradecraft for Windows // Silvio La Porta and Antonio Villani](https://vimeo.com/727453909) 
 77 | * [Python library for ML evasion and detection etc](https://github.com/Trusted-AI/adversarial-robustness-toolbox)
 78 | * [Massive guide on bypassing anticheat and antidebug - also works in malware against EDRs](https://guidedhacking.com/forums/anticheat-bypass-antidebug-tutorials.46/)
 79 | * [3in1: Project aimed to Bypass Some Av Products, Using Different, Advanced Features](https://gitlab.com/ORCA666/3in1)
 80 | * [Evasion-Practice: Different evasion techniques/PoCs](https://github.com/cinzinga/Evasion-Practice)
 81 | * [Reading and writing remote process data without using ReadProcessMemory / WriteProcessMemory](https://www.x86matthew.com/view_post?id=read_write_proc_memory)
 82 | * [SharpEDRChecker: EDR detection](https://redteaming.co.uk/2021/03/18/sharpedrchecker/)
 83 | * [StackScraper - Capturing sensitive data using real-time stack scanning against a remote process](https://www.x86matthew.com/view_post?id=stack_scraper)
 84 | * [WindowsNoExec - Abusing existing instructions to executing arbitrary code without allocating executable memory](https://www.x86matthew.com/view_post?id=windows_no_exec)
 85 | * [Masking Malicious Memory Artifacts – Part III: Bypassing Defensive Scanners](https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-iii-bypassing-defensive-scanners)
 86 | * [EDR and Blending In: How Attackers Avoid Getting Caught: Part 2](https://www.optiv.com/insights/source-zero/blog/edr-and-blending-how-attackers-avoid-getting-caught)
 87 | * [Adventures in Dynamic Evasion](https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa)
 88 | * [Hindering Threat Hunting, a tale of evasion in a restricted environment](https://www.tarlogic.com/blog/hindering-threat-hunting-a-tale-of-evasion-in-a-restricted-environment/)
 89 | * [One thousand and one ways to copy your shellcode to memory (VBA Macros)](https://adepts.of0x.cc/alternatives-copy-shellcode/)
 90 | * [Delete-self-poc: A way to delete a locked, or current running executable, on disk](https://github.com/LloydLabs/delete-self-poc)
 91 | * [Writing Beacon Object Files: Flexible, Stealthy, and Compatible: Direct syscalls from the real ntdll to bypas syscall detection](https://www.cobaltstrike.com/blog/writing-beacon-object-files-flexible-stealthy-and-compatible/)
 92 | * [Kernel Karnage – Part 9 (Finishing Touches)](https://blog.nviso.eu/2022/02/22/kernel-karnage-part-9-finishing-touches/)
 93 | * [Using the kernel callback table to execute code](https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/)
 94 | * [Invisible Sandbox Evasion](https://research.checkpoint.com/2022/invisible-cuckoo-cape-sandbox-evasion/)
 95 | * [Important: Reduce ur entropy](https://twitter.com/hardwaterhacker/status/1502425183331799043?s=21)
 96 | * [compile your code into mov instructions](https://github.com/xoreaxeaxeax/movfuscator)
 97 | * [Perfect DLL Hijacking](https://elliotonsecurity.com/perfect-dll-hijacking/)
 98 | 
 99 | 
100 | 
101 | ## Operational stuff - OPSEC, TTPs, etc.
102 | * [Life of a payload](https://attl4s.github.io/assets/pdf/Understanding_a_Payloads_Life.pdf)
103 | * [PPLMedic](https://github.com/itm4n/PPLmedic)
104 | * [Parent-child process strcuture](https://mrd0x.com/introduction-to-parent-child-process-evasion/)
105 | * [Echotrail - windows process stats](https://https://www.echotrail.io/)
106 | * [Browser In The Browser (BITB) Attack](https://mrd0x.com/browser-in-the-browser-phishing-attack/)
107 | * [Black Hills Infosec - Coercion and relays](https://www.youtube.com/watch?v=b0lLxLJKaRs)
108 | * [Pocket Guide to OPSEC in Adversary Emulation](https://ristbs.github.io/2023/02/08/your-pocket-guide-to-opsec-in-adversary-emulation.html)
109 | 
110 | ## Campaign/Operation analysis
111 | 
112 | * [Observations from the stellarparticle-campaign](https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/)
113 | * [Ukraine Cyber Operations](https://github.com/curated-intel/Ukraine-Cyber-Operations/)
114 | * [Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability #threatintel report](https://www.cisa.gov/uscert/ncas/alerts/aa22-074a)
115 | * [Post auth RCE based in malicious LUA plugin script upload SCADA controllers located in Russia](https://medium.com/@bertinjoseb/post-auth-rce-based-in-malicious-lua-plugin-script-upload-scada-controllers-located-in-russia-57044425ac38)
116 | * [Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments](https://www.mandiant.com/resources/apt41-us-state-governments)
117 | 
118 | ## Phishing
119 | 
120 | * [Revisiting Phishing Simulations](https://posts.specterops.io/revisiting-phishing-simulations-94d9cd460934)
121 | * [Phishing page detection via learning classifiers from page layout feature](https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1361-0)
122 | * [List of crowd-sourced phishing sites. Some are still active](https://phishtank.com)
123 | * [mrd0x - phishing with spoofed cloud attachments](https://mrd0x.com/phishing-o365-spoofed-cloud-attachments/)
124 | * [mrd0x - teams abuse](https://mrd0x.com/microsoft-teams-abuse/)
125 | * [mrd0x - phishing with .ics](https://mrd0x.com/spoofing-calendar-invites-using-ics-files/)
126 | * [Phishing with Github](https://www.form3.tech/engineering/content/phishing-github)
127 | 
128 | ## Active Directory
129 | 
130 | * [A comprehensive guide on relaying](https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/)
131 | * [Automating a Red Team Lab (Part 1): Domain Creation](https://nickzero.co.uk/automating-a-red-team-lab/)
132 | * [Automating a Red Team Lab (Part 2): Monitoring and Logging](https://nickzero.co.uk/automating-a-red-team-lab-part-2/)
133 | * [Announcing Azure in BloodHound Enterprise](https://posts.specterops.io/announcing-azure-in-bloodhound-enterprise-b1a900557cda)
134 | * [AD Trusts](https://medium.com/sse-blog/active-directory-spotlight-trusts-part-2-operational-guidance-ada54ac3bf13) 
135 | * [Learn AD basics](https://www.udemy.com/course/active-directory/)
136 | * [Diamond attacks](https://www.trustedsec.com/blog/a-diamond-in-the-ruff/)
137 | * [Certified Pre Owned (ADCS Abuse)](https://posts.specterops.io/certified-pre-owned-d95910965cd2)
138 | 
139 | ## Initial Access
140 | 
141 | * [How to Deliver Payloads in an Enterprise Attack with Steve Borosh](https://www.youtube.com/watch?v=vVueJfWmpGc)
142 | 
143 | ## Windows Logon and Credential Security
144 | 
145 | * [Windows Logon Process Deep Dive](https://techcommunity.microsoft.com/t5/itops-talk-blog/deep-dive-logging-on-to-windows/ba-p/2420705?WT.mc_id=modinfra-30798-socuff)
146 | * [How to Detect and Dump Credentials from the Windows Registry](https://www.praetorian.com/blog/how-to-detect-and-dump-credentials-from-the-windows-registry/)
147 | * [DPAPI Deep Dive](https://tierzerosecurity.co.nz/2024/01/22/data-protection-windows-api.html)
148 | * [Mimikatz SSP for Stealing Credentials at Logon](https://blog.xpnsec.com/exploring-mimikatz-part-2/)
149 | * [Kerberos Authentication Deep Dive](https://medium.com/@harikrishnanp006/deep-dive-into-kerberos-authentication-6c124bac26fb)
150 | * [Process Integrity Levels](https://redcanary.com/blog/threat-detection/better-know-a-data-source/process-integrity-levels/)
151 | * [Protected Processes in Windows (LSASS as a PPL)](https://support.kaspersky.com/common/windows/13905)
152 | * [Mimikatz WDigest (Storing Plaintext Credentials in Memory)](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/forcing-wdigest-to-store-credentials-in-plaintext)
153 | * [Credential Defenses](https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections)
154 | * [Defeating Windows Defender Credential Guard](https://research.ifcr.dk/pass-the-challenge-defeating-windows-defender-credential-guard-31a892eee22)
155 | * [NTLM and NTLMv2 Challenge-Response](https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4)
156 | 
157 | ## Persistence
158 | * [SharpEventPersist](https://github.com/improsec/SharpEventPersist)
159 | * [Persistence – Notepad++ Plugins](https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/)
160 | 
161 | ## OSINT
162 | 
163 | * [Nrich: Cli tool to quickly analyze all IPs in a file and see which ones have open ports/ vulnerabilities](https://gitlab.com/shodan-public/nrich)
164 | 
165 | ## Tools
166 | 
167 | * [in memory lsass dumper using syscalls](https://github.com/helpsystems/nanodump)
168 | * [Walter Planner: Attack path planner](https://jackson_t.gitlab.io/walter-planner/)
169 | * [NimPackt-v1: A Nim-based packer for .NET executables and raw shellcode](https://github.com/chvancooten/NimPackt-v1)
170 | * [PackMyPayload: Payload Containerization](https://github.com/mgeeky/PackMyPayload)
171 | * [TymSpecial Shellcode Loader](https://github.com/ChadMotivation/TymSpecial)
172 | * [KrbRelay](https://github.com/cube0x0/KrbRelay)
173 | * [BadAssMacros: generate malicious macros](https://github.com/Inf0secRabbit/BadAssMacros)
174 | * [PurplePanda: Identify privilege escalation paths and dangerous permissions](https://github.com/carlospolop/PurplePanda)
175 | * [0d1n: a tool for automating customized attacks against web applications](https://github.com/CoolerVoid/0d1n)
176 | * [Inceptor: a tool which can help to automate AV/EDR bypass](https://github.com/klezVirus/inceptor)
177 | * [Injector: Complete Arsenal of Memory injection and other techniques for red-teaming in Windows](https://github.com/0xDivyanshu/Injector)
178 | * [Pixload: Set of tools for creating/injecting payload into images](https://github.com/chinarulezzz/pixload)
179 | * [Cloak: Generate python payloads via msfvenom and inject them into python scripts](https://github.com/s0md3v/Cloak)
180 | * [SNOWCRASH: Create a scripts that can be launched on both Linux and Windows machines](https://github.com/redcode-labs/SNOWCRASH)
181 | * [D-Generate - syscall tracing](https://twitter.com/jonaslyk/status/1568450498579111936?lang=en)
182 | 
183 | ## Rootkits
184 | * [Lord of the ring0](https://idov31.github.io/2022/07/14/lord-of-the-ring0-p1.html)
185 | 
186 | ## Various contents
187 | * [Myths-About-External-C2](https://xret2pwn.github.io/Myths-About-External-C2/)
188 | * [Running shellcode in electron](https://barbellsandrootshells.com/electron-shellcode-loader)
189 | * [Cause & Effect…ive C2](https://www.ctus.io/2021/06/29/cause-effect-ive-c2/)
190 | * [Eye of the TIBER - A blend of red team trends](https://www.youtube.com/watch?v=qyo6Rmy2odI)
191 | * [Useful Libraries for Malware Development](https://captmeelo.com/redteam/maldev/2022/02/16/libraries-for-maldev.html)
192 | * [Windows EVTX Samples [200 EVTX examples]](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES)
193 | * [Russian Cyber Attack Escalation in Ukraine](https://www.youtube.com/watch?v=kO7LlnvE5Rs)
194 | * [A Study on Blue Team’s OPSEC Failures](http://essay.utwente.nl/84945/1/__ad.utwente.nl_Org_BA_Bibliotheek_Documentfiles_Afstudeerverslagen__Verwerkt_caretta_crichlow_MA_eemcs.pdf)
195 | * [Dive into the MITRE Engage™ Official Release](https://medium.com/mitre-engage/dive-into-the-mitre-engage-official-release-731504542924)
196 | * [Conti leaked chats](https://github.com/tsale/translated_conti_leaked_comms)
197 | * [Conti source code](https://github.com/Cracked5pider/conti_locker)
198 | * [Attack Flow — Beyond Atomic Behaviors](https://medium.com/mitre-engenuity/attack-flow-beyond-atomic-behaviors-c646675cc793)
199 | * [VBA and Function Pointers](https://secureyourit.co.uk/wp/2020/11/28/vbafunctionpointers/)
200 | * [MalAPI: List of Windows Apis classified by usage in malware dev](https://malapi.io)
201 | * [Guest Diary (Etay Nir) Kernel Hooking Basics](https://isc.sans.edu/forums/diary/Guest+Diary+Etay+Nir+Kernel+Hooking+Basics/23155/)
202 | * [BOF2shellcode — a tutorial converting a stand-alone BOF loader into shellcode](https://medium.com/falconforce/bof2shellcode-a-tutorial-converting-a-stand-alone-bof-loader-into-shellcode-6369aa518548)
203 | * [Cobalt Strike User Defined Reflective Loader (UDRL)](https://github.com/kyleavery/TitanLdr/tree/heapencrypt)
204 | * [DynamicWrapperEx – Windows API Invocation from Windows Script Host](https://www.contextis.com/en/blog/dynamicwrapperex-windows-api-invocation-from-windows-script-host?utm_source=linkedin&utm_medium=HootsuiteCTXIS&utm_campaign=649c522f-1883-4b51-8712-a299c4a9ac31)
205 | * [Cracked5pider/ReflectedDll.c: Get output from injected reflected dll](https://gist.github.com/Cracked5pider/8f6196b4da16368318a75ff3b1836195)
206 | * [Nt/Zw Mapping from Kernel32](https://github.com/EspressoCake/NativeFunctionStaticMap/blob/main/Native_API_Resolve.pdf)
207 | * [DEF CON 29 - Ben Kurtz - Offensive Golang Bonanza: Writing Golang Malware](https://www.youtube.com/watch?v=3RQb05ITSyk)
208 | * [A novel technique to communicate between threads using the standard ETHREAD structure](https://github.com/CodeXTF2/dearg-thread-ipc-stealth)
209 | * [VX-Underground Black Mass 2022](https://papers.vx-underground.org/papers/Other/VXUG%20Zines/Black%20Mass%20Halloween%202022.pdf)
210 | 
211 | ## Azure related:
212 | 
213 | * [Cloud Adoption Framework for Azure Terraform landing zones](https://github.com/Azure/caf-terraform-landingzones)
214 | * [March 2022 Update Release Notes: Cloud Adoption Framework for Azure Terraform landing zones](https://www.youtube.com/watch?v=B2CYOIAFt44)
215 | * [Cloud Adoption Framework for Azure Terraform landing zones Documentation](https://aztfmod.github.io/documentation/)
216 | * [Cloud Adoption Framework for Azure - Landing zones on Terraform - Rover](https://github.com/aztfmod/rover)
217 | 
218 | 
219 | ## C2 related:
220 | 
221 | * [Counter Strike 1.6 as Malware C2](https://www.youtube.com/watch?v=b2L1lWtwBiI&t=1s)
222 | * [OffensiveNotion](https://github.com/mttaggart/OffensiveNotion)
223 | * [We Put A C2 In Your Notetaking App: OffensiveNotion](https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332)
224 | * [Building C2 implants in C++](https://shogunlab.gitbook.io/building-c2-implants-in-cpp-a-primer/)
225 | * [C2 matrix - all your c2 needs here](https://docs.google.com/spreadsheets/d/1b4mUxa6cDQuTV2BPC6aA-GR4zGZi0ooPYtBe4IgPsSc/edit#gid=0)
226 | * [How GitLab's Red Team automates C2 testing](https://about.gitlab.com/blog/2023/11/28/how-gitlabs-red-team-automates-c2-testing/)
227 | 
228 | 
229 | ## Blue Team - how we get burnt
230 | 
231 | * [72-page eBook describing Endgame’s solution to hunting advanced cyberthreats](https://cyber-edge.com/resources/the-endgame-guide-to-threat-hunting/)
232 | * [TiEtwAgent – ETW-based process injection detection (cant unhook from userland)](https://securityonline.info/tietwagent-etw-based-process-injection-detection/)
233 | * [Detection Engineering](https://www.unh4ck.com/detection-engineering-dimensions)
234 | * [How I met your beacon (MDSec x33fcon talk)](https://www.mdsec.co.uk/2022/07/part-1-how-i-met-your-beacon-overview/)
235 | 
236 | 


--------------------------------------------------------------------------------